-1

CodeIgniter 2.1.4

After doing a little research about CodeIgniter's XSS protections, I decided to quickly and crudely test this by typing some random HTML into any input field on my CodeIgniter forms.

When I typed in <script>, the page is redirected to the server's default 403 error ("Forbidden") page. It's not even a CodeIgniter error page.

I'm very glad that any input data containing <script> is stopped, however, I'm not understanding why this is generating a 403 error page instead of a validation error, or at least pass the data with the offending parts stripped out.

I'm using htmlentities() to convert the < and > but this makes no difference.

It doesn't even matter if implement the form validation. The input data of <script> will generate a 403 error even without it.

Can anyone explain what's happening here and if I need to be worried out how this is being handled/redirected? To me it just seems like I should be getting some sort of CodeIgniter validation error or stripped down data rather than a 403 error.

Here is a concise version of one of my Controllers. (It's happening on all Controllers with data input fields.)

public function search($search_slug = NULL)
{
    $this->load->library('form_validation');
    $this->form_validation->set_rules('search-terms', 'Search Terms', 'xss_clean');

    if ($this->input->post('search-terms') && ($this->form_validation->run() !== FALSE))
    {
        $search_slug = url_title(htmlentities($this->input->post('search-terms')), 'dash', FALSE);
    }

    if ($search_slug !== NULL)
    {

        $search_terms = preg_replace('/-/', ' ', $search_slug);

        $query = // get my results from model;

        if ($query['count'] > 0)
        {
            $data['results'] = $query['results'];       
        }
        else
        {
            $data['results'] = '<h3>Sorry, nothing found.</h3>';
        }
    }
    else
    {
        $data['results'] = '<h3>Please enter your search terms.</h3>';
    }

    $this->template->load('default', 'search', $data);
}
Sparky
  • 98,165
  • 25
  • 199
  • 285
  • Why would you be nice to someone who tries exploring XSS? I think an ugly 403 is enough. – enapupe Feb 26 '14 at 21:37
  • @enapupe, I'm not trying to be nice to a hacker... I'm trying to understand what's happening and make sure my code is secure enough. – Sparky Feb 26 '14 at 21:43
  • Ok. Are you sure this is CI security class working? It started after you turned it on? Isn't a webserver thing? I'm a CI user and have never seen this behavior.. – enapupe Feb 26 '14 at 21:49
  • @enapupe, If I was sure about this, I wouldn't be asking here. When it started, I don't know, since I never tried this before. – Sparky Feb 26 '14 at 21:52
  • Try disabling all xss features and submit – enapupe Feb 26 '14 at 21:54
  • 1
    XSS dose not show 403 error its just clean your input and put `[removed]` instant of ` – Minhaz Feb 26 '14 at 21:54
  • @MinhazAhmed agreed. This may be some apache extension doing the dirty work. – enapupe Feb 26 '14 at 21:55
  • Definitely not the default behavior. Local install here works fine with your controller - get `[search-terms] => [removed]`. Using `.htaccess`? Do the forms work without attempting xss? – stormdrain Feb 26 '14 at 21:57
  • @stormdrain, as stated in my OP, with the validation totally removed, I get the same 403 result. If it's my hosting account doing this, that's fine... I just wanted to understand it better. I installed ZenPhoto and get the same result with that too, so seems to confirm that it's something on the server. – Sparky Feb 26 '14 at 23:36
  • Sorry if I wasn't clear - I was asking if it works without attempting xss input - which you answered below. As mentioned, it works fine for me locally so seems to be something between the client and CI. Can always spin up a free AWS instance to test if you want: http://aws.amazon.com/free/ Could confirm it's your host at least. – stormdrain Feb 26 '14 at 23:43
  • @stormdrain, yes, sorry, all forms work fine. There is no problem here, just trying to understand how I was getting to a 403 page. Thanks for the offer, but setting up a cloud account sounds like more trouble than it's worth, considering that I don't mind the behavior and I trust what MinhazAhmed last said about his result. – Sparky Feb 26 '14 at 23:55
  • @MinhazAhmed, thanks for testing it out. Yes, now I believe this is something on the server and not CodeIgniter. And Yes, I understand that a 403 error is "access forbidden", but since it was being triggered by entering ` – Sparky Feb 26 '14 at 23:56

2 Answers2

0

After reading the comments on my OP and digging into it deeper, this 403 redirect doesn't seem to have anything to with CodeIgniter after all.

Also, after installing ZenPhoto on the same account, I see the 403 redirect when entering <script> into the ZenPhoto search box too.

Since it's shared hosting, I cannot say, with 100% certainty, that this is the result of something in Apache protecting itself, but all evidence seems to point there.

Sparky
  • 98,165
  • 25
  • 199
  • 285
-1

This character is not allowed. check accepted answer @ SO - characters allowed in a url

Your request wasn't reaching index.php

Apart from that have a look at application/config/config.php

$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';

These are the characters your application allows when a request reaches it.

Community
  • 1
  • 1
wcb
  • 1
  • Not sure how this applies here. I don't get a 403 error using ``... only using ` – Sparky Feb 26 '14 at 23:38